Non-Kubernetes agent identity support (OIDC workload identity)

[haasonsaas]

Context

ASB authenticates agent workloads via Kubernetes projected service account JWTs. This is effective in K8s but not portable to non-K8s runtimes (local dev, cloud VMs, serverless, CI/CD runners).

Why it matters

• Maestro runs locally on developer machines, not in K8s
• CI/CD agents run in GitHub Actions, not K8s
• Competitors (Vault A2A, Aembit) support OIDC for broader workload identity
• Enterprise adoption requires agent secret brokering wherever agents run

Suggested approach

• OIDC workload identity federation (GitHub Actions OIDC, GCP workload identity, Azure MI)
• CLI-based session bootstrapping for local development (via identity service tokens)
• Attestation claims normalized across K8s SA JWT and OIDC tokens
• Maintain K8s as the primary path; OIDC as extension, not replacement