Tracking: ADR-0007 (External JWKS federation) implementation follow-ups

[Knapp-Kevin]

ADR-0007 (External JWKS federation for cross-org agent identity, merged in #1385) landed as a design proposal. The "Follow-up work" section includes a few concrete implementation items that are near enough to track as issue work.

This issue is scoped to the actionable near-term implementation sequence. Longer horizon design topics have moved to Discussion #2273 so they stay visible without reading as committed delivery scope.

Items

• ExternalJWKSProvider implementation: provider module in agentmesh/identity/, plus tests. In progress in feat(identity): add ExternalJWKSProvider for cross-org agent federation (ADR-0007) #2268.
• IdentityProviderChain abstraction: ADR-0007 sketches this, but no chain class exists in agentmesh/identity/ today. Worth its own design pass before code lands.
• HandshakeResult.external_identity field: ADR-0007 proposes this addition to agentmesh/trust/handshake.py, but it is not yet in code. Should land alongside or after the chain abstraction so the field has a consumer.
• Federation policy configuration: YAML/JSON schema for FederationPolicy, loadable from AGT's existing config system.

Out of scope for this tracker

The following topics are longer horizon design questions and are now tracked in Discussion #2273:

• discovery registry
• cross-bridge liveness propagation
• DIF MCP-I alignment
• push-based revocation propagation

Notes

• feat(identity): add ExternalJWKSProvider for cross-org agent federation (ADR-0007) #2268 intentionally ships the provider only. The chain abstraction and HandshakeResult field are follow-up implementation work.
• Happy to split the remaining items into separate issues once maintainers want a narrower owner and acceptance criteria for each.

Closes by: completion of the four checkboxes above, or maintainer decision to split them into separate trackers.

[github-actions]

🔴 Contributor Check: HIGH

Check	Result
Profile	HIGH
Credential	NONE
Overall	HIGH

Automated check by AGT Contributor Check.

[miyannishar]

Thanks for putting this together @Knapp-Kevin, appreciate the structured tracking.

One suggestion: the first 4 items (provider, chain abstraction, handshake field, federation policy config) are concrete and near-term. The last 3 (discovery registry, DIF MCP-I alignment, push-based revocation) are speculative or blocked on external specs that haven't stabilized yet.

I'd trim this issue to just the concrete items and move the longer-term vision stuff to a Discussion thread. Issues carry implicit commitment weight, and we don't want someone pointing at "DIF alignment" 6 months from now asking why it's not done.

Keep this as the actionable tracker for what's actually landing soon, and let the Discussion capture the roadmap ideas without creating false expectations.

[DhineshPonnarasan]

@miyannishar I would like to work on this

[Knapp-Kevin]

@miyannishar I would like to work on this

I've already submitted the PR here, but I welcome any feedback.
PR #2268

[miyannishar]

@miyannishar I would like to work on this

I've already submitted the PR here, but I welcome any feedback. PR #2268

Added some comments there. Pls address those.

[Knapp-Kevin]

@miyannishar agreed. I'll keep this issue focused on the concrete near-term work and move the longer-horizon items to a Discussion so they don't read as committed delivery scope.

For this tracker, that means provider, chain abstraction, handshake field, and federation policy config. Discovery registry, DIF MCP-I alignment, and push-based revocation can live as roadmap/design discussion until the dependencies settle.

I'll address the PR comments on #2268 first, then clean up this tracker.

[Knapp-Kevin]

@miyannishar trimmed #2269 to the near-term implementation items and moved the longer horizon topics to Discussion #2273. Thanks for the scope nudge.

[imran-siddique]

Good tracking issue. The four items are well-scoped. Implementation priority may differ from the listed order: the ExternalJWKSProvider (#2268) is the right starting point, followed by the IdentityProviderChain abstraction. Federation policy config and HandshakeResult field can follow once the chain exists. Happy to review PRs as they come in.