Originator: FuzeKeys MCP Secrets-Broker.
Context / why: FuzeKeys' identity-vault MCP broker needs LLM agents to authenticate as machine identities acting on behalf of a user, under policy. FuzeFront's model (services/oidc.ts, utils/permit/*) only knows human users synced from Authentik — no service-account/client-credentials path, no "agent acts_on_behalf_of user" concept.
Asks:
- Bless Authentik service accounts + OAuth2 client-credentials as the family-standard machine-identity primitive; document registration + rotation.
- Provide guidance/helpers to sync a machine identity into Permit as a distinct principal (not a human user).
- Define the
Agent —delegate_of→ User ReBAC relationship in the shared Permit environment (resource types + relationship) so an agent's reach derives from the user it represents.
Acceptance criteria:
- Documented way to register an agent service account in Authentik + obtain a client-credentials token.
- A Permit
delegate_of relationship/role model in the shared env, with a worked permit.check(agent, action, resource) that denies cross-user/cross-tenant.
- No bespoke bearer-token scheme required of consumers.
Notifications requested: @-mention me on contract-freeze of the agent-identity model and on deployment.
STATE: blocks FuzeKeys broker agent-auth (interim: a hashed-token fallback). Cross-links the federated-AuthN issue.
Originator: FuzeKeys MCP Secrets-Broker.
Context / why: FuzeKeys' identity-vault MCP broker needs LLM agents to authenticate as machine identities acting on behalf of a user, under policy. FuzeFront's model (
services/oidc.ts,utils/permit/*) only knows human users synced from Authentik — no service-account/client-credentials path, no "agent acts_on_behalf_of user" concept.Asks:
Agent —delegate_of→ UserReBAC relationship in the shared Permit environment (resource types + relationship) so an agent's reach derives from the user it represents.Acceptance criteria:
delegate_ofrelationship/role model in the shared env, with a workedpermit.check(agent, action, resource)that denies cross-user/cross-tenant.Notifications requested: @-mention me on contract-freeze of the agent-identity model and on deployment.
STATE: blocks FuzeKeys broker agent-auth (interim: a hashed-token fallback). Cross-links the federated-AuthN issue.