Fastest Local Validation Path

Use this path for Day 1 validation with minimal setup.

You do not need enterprise IdP setup, two browser agents, or a hosted control plane to prove authority behavior locally.

Step 1: validate allow/deny in-process

• Use ActionGuard with a small local policy.
• Build one allowed request and one denied request.
• Confirm deny reason is deterministic and stable.

from predicate_authority import ActionGuard, InMemoryProofLedger, LocalMandateSigner, PolicyEngine
from predicate_contracts import ActionRequest, ActionSpec, PolicyEffect, PolicyRule, PrincipalRef
from predicate_contracts import StateEvidence, VerificationEvidence

rules = (
    PolicyRule(
        name="allow-orders-create",
        effect=PolicyEffect.ALLOW,
        principals=("agent:checkout",),
        actions=("http.post",),
        resources=("https://api.vendor.com/orders",),
    ),
)

guard = ActionGuard(
    policy_engine=PolicyEngine(rules=rules),
    mandate_signer=LocalMandateSigner(secret_key="replace-with-strong-secret"),
    proof_ledger=InMemoryProofLedger(),
)

request = ActionRequest(
    principal=PrincipalRef(principal_id="agent:checkout", tenant_id="tenant-a"),
    action_spec=ActionSpec(action="http.post", resource="https://api.vendor.com/orders", intent="submit order"),
    state_evidence=StateEvidence(source="sdk-python", state_hash="sha256:abc123"),
    verification_evidence=VerificationEvidence(signals=tuple()),
)

decision = guard.authorize(request)
print("allowed=", decision.allowed, "reason=", decision.reason.value)

Step 2: simulate delegated flow with two scripts

• Script A (root) requests a mandate with delegation depth limits.
• Script B (worker) uses that mandate for delegated actions.
• Validate success + expected failures (over-depth, revoked root, revoked intent).

Step 2b (optional): check Okta OBO compatibility

Before enterprise rollout, run the capability-gated compatibility check to decide delegation path:

• if tenant supports token exchange/OBO -> you can use IdP token exchange path,
• if not -> use authority mandate delegation fallback.

export OKTA_OBO_COMPAT_CHECK_ENABLED=1
export OKTA_SUPPORTS_TOKEN_EXCHANGE=true   # or false
python3 -m pytest tests/test_okta_obo_compatibility.py -k "live_check_when_enabled"

Step 2c (optional): check Entra OBO compatibility

Use this to determine whether Entra OBO can be used directly or if mandate delegation fallback should be used:

export ENTRA_OBO_COMPAT_CHECK_ENABLED=1
export ENTRA_SUPPORTS_OBO=true   # or false
python3 -m pytest tests/test_entra_obo_compatibility.py -k "live_check_when_enabled"

If ENTRA_SUPPORTS_OBO=true, also provide ENTRA_USER_ASSERTION for true OBO exchange validation.

Step 2d (optional): check OIDC token exchange compatibility

Use this when your enterprise IdP is generic OIDC (not Okta/Entra-specific) to decide delegation path:

• if provider supports token exchange -> use IdP token exchange path,
• if not -> use authority mandate delegation fallback.

export OIDC_COMPAT_CHECK_ENABLED=1
export OIDC_SUPPORTS_TOKEN_EXCHANGE=true   # or false
python3 -m pytest tests/test_oidc_compatibility.py -k "live_check_when_enabled"

If OIDC_SUPPORTS_TOKEN_EXCHANGE=true, also provide OIDC_SUBJECT_TOKEN for true token exchange validation.

Step 3: optional sidecar smoke test

• Start predicate-authorityd in local mode.
• Check /status, /metrics, /ledger/flush-now, and /ledger/dead-letter.
• Confirm ops endpoints work before enterprise integration.

Optional control-plane checks after sidecar smoke passes:

• verify audit integrity root/proof endpoints (/v1/audit/integrity/root, /v1/audit/integrity/proof/{event_id}),
• verify long-poll sync counters when --control-plane-sync-enabled is on.

When this path passes, then add enterprise IdP and web-agent E2E.