Development Phases

The project was built in 7 sequential phases over a single development session. Each phase produced working, tested code that built on the previous one.

Phase 0: Infrastructure Scaffold

Set up the foundation before any business logic.

ArtifactPurpose
packages/common/settings.pyPydantic-settings for all env vars
apps/identity_api/dependencies.pyAsync DB sessions + admin auth
apps/identity_api/main.pyFastAPI app with CORS + JSON logging
4 × DockerfileOne per service (identity, broker, gateway, mock)
scripts/generate_dev_keys.shRSA key pair generation
tests/conftest.pySQLite TestClient fixtures
pyproject.toml57 dependencies + entry points

Phase 1: Core Identity Model

Delivered: PostgreSQL schema, blueprint API, agent identity API, lifecycle state machine.

ComponentFilesTests
Enums + Base Modelpackages/common/6
AgentBlueprint modelpackages/identity_models/blueprint.py
AgentIdentity modelpackages/identity_models/agent.py
Pydantic schemaspackages/identity_models/schemas.py3
Repositoriesapps/identity_api/repositories/
API endpointsapps/identity_api/api/{blueprints,agents}.py10

Lifecycle states: draftpending_approvalactivesuspendedrevokeddecommissioned

Phase 2: Sessions and Tokens

Delivered: Runtime attestation, JWT session tokens, delegation grants.

ComponentFilesTests
RuntimeAttestation modelpackages/attestation/models.py
Attestation verifierpackages/attestation/verifier.py5
DelegationGrant modelpackages/identity_models/delegation.py
AgentSession modelpackages/identity_models/session.py
JWT issuer + validatorpackages/token_library/5
Session service + APIapps/identity_api/services/session_service.py7

Token security: RS256 asymmetric signing, 30-min max lifetime, audience validation, nonce-based replay prevention.

Phase 3: Policy Enforcement

Delivered: Policy adapter interface, OPA integration, scope intersection.

ComponentFilesTests
Policy adapter (ABC)packages/policy_client/adapter.py
Python policy adapterpackages/policy_client/python_adapter.py6
OPA adapterpackages/policy_client/opa_adapter.py
Rego policiespolicies/agent_access.rego
/v1/authorize endpointapps/identity_api/api/authorization.py3
Property-based teststests/unit/test_policy_properties.py2

Phase 4: MCP Gateway

Delivered: Gateway proxy, tool registry, auth middleware.

ComponentFilesTests
Tool registryapps/mcp_gateway/tool_registry/registry.py4
Auth middlewareapps/mcp_gateway/middleware/auth.py
Proxy forwarderapps/mcp_gateway/proxy/forwarder.py
Mock MCP serverapps/mock_mcp_server/main.py8

Phase 5: Token Brokerage

Delivered: Credential provider interface, mock OAuth, static secret injection.

ComponentFilesTests
CredentialLease modelpackages/identity_models/credential_lease.py
Provider interfaceapps/token_broker/providers/base.py
Mock OAuth + Static Secretapps/token_broker/providers/4
/v1/token-exchangeapps/token_broker/main.py2

No raw credentials stored — lease records contain only metadata.

Phase 6: Audit Chain

Delivered: Tamper-evident hash chain, audit API.

ComponentFilesTests
AuditEvent modelpackages/audit/models.py
SHA256 hash chainpackages/audit/chain.py3
Audit writerpackages/audit/writer.py
Audit APIapps/identity_api/api/audit.py

Phase 7: Integration + Documentation

Delivered: Python SDK, demos, architecture docs.

ComponentFilesTests
AgentIdentityClient SDKpackages/common/client.py4
5 demo scenariosexamples/
7 ADRsdocs/adr/
Architecture docsdocs/

Test Growth

P1: 19
P2: 36
P3: 47
P4: 59
P5: 65
P6: 68
P7: 72