This repository implements the Identity Surface layer of the ThreadForge platform.
ThreadForge is an identity-first runtime architecture for securely executing distributed services and AI agents using workload identity and policy-driven communication boundaries.
Platform architecture reference: https://github.com/computeaholic/threadforge-reference-architecture
Deterministic identity and admission installer for containment substrate validation.
The Identity Surface layer establishes verifiable workload identity inside the cluster.
It installs the minimal SPIFFE/SPIRE identity plane and Kubernetes admission controls required for higher-level runtime policy enforcement.
This layer provides the cryptographic identity foundation used by the Secure Runtime and Containment Surface layers.
- Kubernetes v1.26+ (ValidatingAdmissionPolicy GA)
- AdmissionRegistration enabled
- Cluster-admin privileges for installation
- Conformant Kubernetes API server (no CRD bootstrapping performed by this repo)
This repository does not provision Kubernetes.
This repository does not install Kubernetes-owned CRDs.
- Assumes an existing Kubernetes cluster (Kubernetes v1.26+)
- Assumes AdmissionRegistration is enabled
- Does not provision a cluster
- Uses Kustomize only (no Helm)
- Does not include data-plane services
- Does not include observability stack
- Does not include storage systems
- Does not include research platform components
Installs the minimal workload identity and admission plane required for containment checks.
make install
make validate
make uninstall