local IdP

Author: rcholic

README.md

@@ -142,6 +142,20 @@ python examples/delegation/entra_obo_compat_demo.py \
   --scope "$ENTRA_SCOPE"
 ```
 
+### Local IdP quick command
+
+```bash
+export LOCAL_IDP_SIGNING_KEY="replace-with-strong-secret"
+predicate-authorityd \
+  --host 127.0.0.1 \
+  --port 8787 \
+  --mode local_only \
+  --policy-file examples/authorityd/policy.json \
+  --identity-mode local-idp \
+  --local-idp-issuer "http://localhost/predicate-local-idp" \
+  --local-idp-audience "api://predicate-authority"
+```
+
 ## Operations CLI
 
 `predicate-authority` provides an ops-focused CLI for sidecar/runtime workflows.

predicate_authority/README.md

@@ -71,3 +71,25 @@ python examples/delegation/entra_obo_compat_demo.py \
   --client-secret "$ENTRA_CLIENT_SECRET" \
   --scope "${ENTRA_SCOPE:-api://predicate-authority/.default}"
 ```
+
+## Local IdP quick example
+
+```python
+from predicate_authority import LocalIdPBridge, LocalIdPBridgeConfig
+from predicate_contracts import PrincipalRef, StateEvidence
+
+bridge = LocalIdPBridge(
+    LocalIdPBridgeConfig(
+        issuer="http://localhost/predicate-local-idp",
+        audience="api://predicate-authority",
+        signing_key="replace-with-strong-secret",
+        token_ttl_seconds=300,
+    )
+)
+
+token = bridge.exchange_token(
+    PrincipalRef(principal_id="agent:local", tenant_id="tenant-a"),
+    StateEvidence(source="backend", state_hash="sha256:local-state"),
+)
+print(token.provider.value, token.access_token[:24] + "...")
+```