What enterprise trust provides#
Enterprise trust is an additive, org-scoped governance layer on top of the workspace control plane. It provides visibility into trust posture, enterprise auth readiness, and compliance controls.
Trust stack#
Each layer builds on the one below. Enterprise trust does not replace workspace governance — it adds org-scoped visibility and controls on top.
┌─────────────────────────────────────────────────┐
│ Compliance Export │
│ CSV/JSON audit trails, evidence bundles, │
│ retention-aware data export │
├─────────────────────────────────────────────────┤
│ Enterprise Trust │
│ Org admin, SSO/SAML/SCIM, trust dashboard, │
│ authoritative governance mode │
├─────────────────────────────────────────────────┤
│ Fleet Management │
│ Multi-workspace visibility, drift detection, │
│ policy distribution, runtime health monitoring │
├─────────────────────────────────────────────────┤
│ Evidence Vault │
│ Immutable action receipts, custody model, │
│ provenance, evidence chain per task │
├─────────────────────────────────────────────────┤
│ Control Plane │
│ Sessions, dispatch, approvals, │
│ policies, budgets, telemetry, A2A signals │
├─────────────────────────────────────────────────┤
│ Kernel │
│ 4-level scope, policy engine, sandbox, │
│ tool execution, evidence capture │
└─────────────────────────────────────────────────┘
Trust dashboard#
The trust page at /dashboard/trust is visible only to workspace
operators (owner or admin role). It shows:
- Live controls: Evidence Vault, compliance export — operational today
- Planned controls: Org-level admin, SSO, SAML, and SCIM enforcement — roadmap items
- Operator workspace count in scope
- Governance root confirmation (workspace-scoped, additive)
info Enterprise trust does not bypass workspace governance. Admin and reviewer roles cannot override workspace-level approvals or policies.
Enterprise auth configuration#
Record SSO, SAML, and SCIM intent via the enterprise API. The config toggles are live; the actual IdP sign-in and provisioning flows are still in development, so do not treat these as procurement-ready enterprise auth yet.
GET /api/v1/enterprise — fetch current config and readiness
PUT /api/v1/enterprise — update config (operator-only)
| Feature | Status | Notes |
|---|---|---|
| SSO toggle | Config toggle live | Enable/disable per org; the org-scoped SSO sign-in flow itself is still planned |
| SAML | Stub | Metadata endpoint exists, IdP integration pending |
| SCIM | Planned | POST/GET /scim/Users returns RFC 7644 §3.12 501 Not Implemented until bearer-token IdP provisioning ships |
SAML metadata#
When SAML is enabled, GET /api/v1/enterprise/saml/metadata returns
SP metadata XML with entity ID and ACS URL.
SCIM provisioning#
POST /api/v1/enterprise/scim/Users (and GET) returns
501 Not Implemented with body
{"error":"not_implemented","detail":"SCIM provisioning is planned but not live..."}
per RFC 7644 §3.12. The endpoint is intentionally dead until bearer-token
IdP provisioning ships; IdPs MUST treat 501 as a hard "do not retry" signal.
Access control#
All enterprise endpoints require the org-operator role — the user must be an owner or admin in at least one workspace within the org. Non-operators receive 403.
Readiness model#
Enterprise auth readiness is dynamic, derived from actual org configuration:
| Readiness | Meaning |
|---|---|
| Live today | Feature is enabled and operational |
| Planned | Architecture exists, implementation pending |