Citizen Multi-device SSO (HMI)¶
Objective¶
Define one identity experience for citizens, collaborators, and internal teams across PC, notebook, tablet, smartphone, and gadgets, while preserving human-decision traceability (HILT) and auditable evidence.
Adopted architecture decision¶
Option A (self-hosted OIDC broker) is the baseline:
- Central self-hosted IdP (for example Keycloak) as identity broker.
oauth2-proxyas the web access gateway for governed apps.- Claims by
role + audience + device + riskto route portal views. - Mandatory HILT for
high|criticalrisk levels.
HMI map by device¶
| Code | Device | Recommended flow |
|---|---|---|
D1 |
Personal smartphone | OIDC + MFA + compact mobile directives |
D2 |
Institutional laptop | OIDC + MFA + documentary evidence |
D3 |
Technical workstation | OIDC + least privilege + hardening |
D4 |
Local server/cluster | Bastion + federated OIDC + runtime traces |
D5 |
Cloud infrastructure | Federated IAM + centralized audit |
D6 |
Classroom tablet/device | MDM + guided onboarding + managed profiles |
Governance matrix by role¶
Canonical source files:
knowledge/datasets/citizen-role-device-risk-matrix.tsvknowledge/datasets/citizen-device-taxonomy.tsvknowledge/datasets/citizen-evidence-catalog.tsvknowledge/datasets/citizen-hmi-ux-contract.tsvknowledge/datasets/citizen-repo-permission-routing.tsv
Local-first validation:
python3 scripts/verify/citizen_role_device_risk_guard.py
python3 scripts/verify/citizen_hmi_ux_guard.py
python3 scripts/verify/citizen_repo_permission_routing_guard.py
UXUI contract by actor and device¶
citizen-hmi-ux-contract.tsv defines, for every role + device pair:
- HMI surface (
mobile_web,desktop_web,workstation_console,bastion_cli,tablet_classroom). - Navigation mode (
guided,taskboard,evidence-first,ops-first,narrative). - Content density and accessibility profile (WCAG/keyboard/screen-reader).
- Authentication friction by risk (
silent-sso,mfa,step-up-mfa). - HILT prompt style for
high|criticalrisk operations.
This turns UX from subjective preference into a GitOps-governed, auditable contract.
Repository permission routing (same URL entrypoint)¶
The portal routes from the same URL using the permission claim:
| Permission | Default destination |
|---|---|
read |
portal/institutional-onboarding/ |
write |
portal/github-collaboration-hub/ |
maintainer |
portal/tech-people-context-steward-quickstart/ |
admin |
portal/human-decision-protocol/ (or personal VDI if claim is present) |
owner |
Personal VDI (atq_vdi_url or fallback /vdi/<username>/) |
Outcome: one entrypoint with adaptive routing by permission + role + device + risk.
Onboarding integration¶
The onboarding wizard now captures:
- Initial citizen role.
- Primary device (D1..D6).
- Citizen SSO preference.
This enables day-1 personalization of route, narrative, and controls.
Guardrails¶
- No decision closure without
evidence_codes. high|criticalrisk requires explicit HILT.- Experience router never grants privilege by default.
- Every role/device change must be traceable in issue/PR evidence.
Proprietary CLI Framework (Human-first Operations)¶
Canonical entrypoint to translate the SSO contract into human-readable CLI operations:
scripts/proxmox/device_sso_cli_framework.sh (ATQ-CLI-SSO-DEVICE-V1)
Capabilities:
- Audience narrative (
ops|exec|legal|onboarding). - Language mode
colloquial|technical. - Explicit professional contexts:
public-admin,education-center,vocational-student. - ASCII mindmap for layers/hops and Linux process-management coaching.
- OEM + overlay profiles through
HOSTPROXMOXgateway and mesh-node registration for decentralized community compute.
Quick example:
bash scripts/proxmox/device_sso_cli_framework.sh describe \
--audience onboarding \
--professional-context public-admin \
--language colloquial
Mesh node registration example: