Spec: cloud-identity · v0.1 · Kinetic Gain
Status: Draft — open spec, implementation in progress
Schema: schema.json (JSON Schema 2020-12) · Example: example.json
A machine-readable declaration of how a cloud platform deployment propagates identity, defaults its access posture, detects configuration drift, and where its evidence lives. One JSON document a security reviewer can read and verify across AWS, Microsoft Entra, Okta, and GCP — a common posture format instead of four bespoke spreadsheets.
It is verify-only by design. The identity_propagation.verification field is pinned to verify_only: Kinetic Gain verifies the platform issuer's signed identity and never mints its own session. A reviewer's first question — "whose session is this?" — has one answer, declared in the document and enforced by the validator.
Like the rest of the Kinetic Gain layer, this is a declaration, not a certification. It records an asserted posture and points to the evidence that backs it. It is composable with the platform's own controls, not a replacement for them.
| Field | Required | Purpose |
|---|---|---|
kg_version |
yes | Pins the document to a schema version ("0.1"). |
platform |
yes | provider (aws / entra / okta / gcp) and an opaque tenant_ref. |
identity_propagation |
yes | method (signed_jwt / federated_assertion), issuer, verification (always verify_only), and the validator component. |
access_posture |
yes | default (read_only / scoped_write), how writes are handled (named_audited_grant / denied), and optional conditional_access rules (principal / from / assurance). |
drift |
no | A declared config baseline, detection cadence, and last_checked. |
data_classification |
no | Classification scheme (purview / macie / custom), carried as control evidence. |
evidence |
yes | audit_stream, attestation, method. |
status |
yes | live / mapped / pending. |
The schema encodes the same if/then rule as the core-governance spec: a posture with status: "live" must carry an evidence.attestation URI. A posture you can't point a verifier at can't be declared live. The honesty policy on the public surfaces is the same rule, here made executable in the data model.
The aws, entra, and okta proof surfaces cite this spec for their posture and conditional-access proof points. Per-platform emphasis differs — AWS leans on landing-zone drift, Entra on conditional access and Purview classification, Okta on SSO/SCIM lifecycle — but all three declare against this one schema. Until this repo existed, those points had no backing artifact and were dropped under the anti-vapor rule. With the spec live, they rebind here and promote toward live as attestations ship.
# ajv-formats supplies the standard "uri"/"date-time" formats this schema uses.
npx -p ajv-cli -p ajv-formats ajv validate -s schema.json -d example.json --spec=draft2020 -c ajv-formatsv0.1 is a draft. Breaking changes bump the minor until v1.0; kg_version pins each document to its schema.
This spec defines a posture declaration format. Publishing a declaration asserts a posture and points to evidence. It does not assert certification, accreditation, or regulatory compliance.